We do have a number of rules for secrets detection that focus on supporting specific providers. The rules available to you vary on which product you’re using (SonarQube Community Build / Server / Cloud). Which are you using?
You’ve obfuscated the real keys (rightfully so!). Do they belong to a specific provider?
Normally I’d push you to try on a supported version of SonarQube, but this was simple enough for me to try and reproduce on SonarQube Cloud. I’m surprised that a Security Hotspot isn’t raised. I’ll flag this for attention.
Thank you for reporting. Indeed, we should be catching such issues. I believe this rule should have triggered: RSPEC
I did a quick test and I believe it doesn’t trigger as you are using a ternary expression. I also checked that it doesn’t trigger within an object assignment. I’ve created a ticket to track this: Jira